网络拓扑:

在中小企业的办公网络的设计中,通常为了安全考虑,需要将不同部门之间的互访的流量经过防火墙中转,同时结合vpn stance将业务进行隔离,在本例中,使用两台USG防火墙做HA作为整个办公网的接入防火墙,企业的互联网接入有电信和联通的两条专线进行接入。

设计要点:

1.两台USG防火墙互联的业务口使用子接口的方式进行互联

通常使用子接口的方式一方面可以节省设备的物理接口。另一方面下联交换机通过trunk的方式接入,使用子接口可以很容易的创建大量的安全域实现隔离。

2.通常建议USG防火墙使用主备模式的HA,不建议使用负载分担模式的HA

由于防火墙的HA是基于会话和状态的,因此在高可用要求高的场合不建议使用负载分担的方式。

3.对不同的业务访问使用策略路由进行控制

在本例中,开发和测试访问internet默认走联通的链路,财务和OA默认走电信的链路。

4.对不同的业务创建不同的安全域

5.对不同的业务间的访问通过防火墙的安全策略进行精细化的控制

配置如下:

HRP_M[BJ-ZHX-FW]

===================================================================

#
sysname BJ-ZHX-FW
#
l2tp domain suffix-separator @
#
ipsec sha2 compatible enable
#
undo telnet server enable
undo telnet ipv6 server enable
#
hrp enable
hrp standby-device
hrp interface Eth-Trunk0 remote 172.16.1.3 heartbeat-only
hrp auto-sync config static-route
#
update schedule location-sdb weekly Sun 22:24
#
firewall defend action discard
#
banner enable
#
user-manage web-authentication security port 8887
undo privacy-statement english
undo privacy-statement chinese
page-setting
user-manage security version tlsv1.1 tlsv1.2
password-policy
level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
web-manager security version tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable
undo web-manager config-guide enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
undo ips log merge enable
#
decoding uri-cache disable
#
update schedule ips-sdb daily 23:01
update schedule av-sdb daily 23:01
update schedule sa-sdb daily 23:01
update schedule cnc daily 23:01
update schedule file-reputation daily 23:01
#
ip vpn-instance default
ipv4-family
#
ip address-set kaifa type object
description kaifa
address 0 10.158.0.0 mask 16
#
ip address-set ceshi type object
description ceshi
address 0 10.133.0.0 mask 16
#
ip address-set caiwu type object
description caiwu
address 0 10.125.0.0 mask 16
#
ip address-set oa type object
description oa
address 0 10.178.0.0 mask 16
#
ip address-set bj-lan type group
address 0 address-set kaifa
address 1 address-set ceshi
address 2 address-set caiwu
address 3 address-set oa
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl-vpn l2tp ike
internet-access mode password
reference user current-domain
manager-user audit-admin
password cipher @%@%Dm)zP@/@B4'q&:QY1cq&e>f>Sf6j8)KBs/hcLwX"yogE>fAe@%@%
service-type web terminal
level 15

manager-user api-admin
password cipher @%@%}:)A*y$fjAi$*h91`2*Be3@Y6SreDuX7`>7`tY1kII^V3@\e@%@%
level 15

manager-user admin
password cipher @%@%x;X'+k=QR+t,#'*3\ME;a9Z=UFJ(U}+g{S:qBn3g'woV9Z@a@%@%
service-type web terminal
level 15

role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
#
interface Eth-Trunk0
ip address 172.16.1.2 255.255.255.240
vrrp vrid 10 virtual-ip 172.16.1.1 active
alias hearbeat
gateway 172.16.1.3
undo service-manage enable
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/0
undo shutdown
eth-trunk 0
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 0
#
interface GigabitEthernet1/0/2
undo shutdown
#
interface GigabitEthernet1/0/2.1
vlan-type dot1q 10
ip address 61.135.142.2 255.255.255.224
vrrp vrid 20 virtual-ip 61.135.142.3 active
alias untrust-cu
gateway 61.135.142.1
undo service-manage enable
#
interface GigabitEthernet1/0/2.2
vlan-type dot1q 20
ip address 222.128.90.2 255.255.255.224
vrrp vrid 30 virtual-ip 222.128.90.3 active
alias untrust-ct
gateway 222.128.90.1
#
interface GigabitEthernet1/0/3
undo shutdown
#
interface GigabitEthernet1/0/3.1
vlan-type dot1q 40
ip address 10.158.1.251 255.255.255.0
vrrp vrid 40 virtual-ip 10.158.1.253 active
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/3.2
vlan-type dot1q 50
ip address 10.133.1.251 255.255.255.0
vrrp vrid 50 virtual-ip 10.133.1.253 active
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/3.3
vlan-type dot1q 60
ip address 10.125.1.251 255.255.255.0
vrrp vrid 60 virtual-ip 10.125.1.253 active
alias GE1/0/3.3
gateway 10.125.1.254
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/3.4
vlan-type dot1q 70
ip address 10.178.1.251 255.255.255.0
vrrp vrid 70 virtual-ip 10.178.1.253 active
alias GE1/0/3.4
gateway 10.178.1.254
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/4
undo shutdown
#
interface GigabitEthernet1/0/5
undo shutdown
#
interface GigabitEthernet1/0/6
undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2.1
add interface GigabitEthernet1/0/2.2
#
firewall zone dmz
set priority 50
add interface Eth-Trunk0
#
firewall zone name kaifa id 4
description kaifa
set priority 80
add interface GigabitEthernet1/0/3.1
#
firewall zone name ceshi id 5
description ceshi
set priority 75
add interface GigabitEthernet1/0/3.2
#
firewall zone name caiwu id 6
description caiwu
set priority 70
add interface GigabitEthernet1/0/3.3
#
firewall zone name oa id 7
description oa
set priority 65
add interface GigabitEthernet1/0/3.4
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/2.1 61.135.142.1
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/2.2 222.128.90.1
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
mode proportion-of-weight
#
right-manager server-group
#
device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
rule name trust-to-untrust-kaifa
source-zone kaifa
destination-zone trust
source-address address-set kaifa
action permit
rule name trust-to-untrust-ceshi
source-zone ceshi
destination-zone untrust
source-address address-set ceshi
action permit
rule name trust-to-untrust-caiwu
source-zone caiwu
destination-zone untrust
source-address address-set caiwu
action permit
rule name trust-to-untrust-oa
source-zone oa
destination-zone untrust
source-address address-set oa
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
rule name trust-cu 1
source-zone ceshi
source-zone kaifa
source-address address-set ceshi
source-address address-set kaifa
action pbr egress-interface GigabitEthernet1/0/2.1 next-hop 61.135.142.1
rule name trust-ct 2
source-zone caiwu
source-zone oa
source-address address-set caiwu
source-address address-set oa
action pbr egress-interface GigabitEthernet1/0/2.2 next-hop 222.128.90.1
#
nat-policy
rule name trust-to-untrust-kaifa
description trust-to-untrust-kaifa
source-zone kaifa
destination-zone untrust
source-address address-set kaifa
action source-nat easy-ip
rule name trust-to-untrust-ceshi
description trust-to-untrust-ceshi
source-zone ceshi
destination-zone untrust
source-address address-set ceshi
action source-nat easy-ip
rule name trust-to-untrust-caiwu
description trust-to-untrust-caiwu
source-zone caiwu
destination-zone untrust
source-address address-set caiwu
action source-nat easy-ip
rule name trust-to-untrust-oa
description trust-to-untrust-oa
source-zone oa
destination-zone untrust
source-address address-set oa
action source-nat easy-ip
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return

ZHX-SW

===================================================================

#
sysname ZHX-SW
#
vlan batch 2 to 5 40 50 60 70 80
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
ip vpn-instance caiwu
ipv4-family
route-distinguisher 65001:300
vpn-target 65001:300 export-extcommunity
vpn-target 65002:300 import-extcommunity
#
ip vpn-instance ceshi
ipv4-family
route-distinguisher 65001:200
vpn-target 65001:200 export-extcommunity
vpn-target 65002:200 import-extcommunity
#
ip vpn-instance kaifa
ipv4-family
route-distinguisher 65001:100
vpn-target 65001:100 export-extcommunity
vpn-target 65002:100 import-extcommunity
#
ip vpn-instance oa
ipv4-family
route-distinguisher 65001:400
vpn-target 65001:400 export-extcommunity
vpn-target 65002:400 import-extcommunity
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
shutdown
#
interface Vlanif40
ip binding vpn-instance kaifa
ip address 10.158.1.254 255.255.255.0
#
interface Vlanif50
ip binding vpn-instance ceshi
ip address 10.133.1.254 255.255.255.0
#
interface Vlanif60
ip binding vpn-instance caiwu
ip address 10.125.1.254 255.255.255.0
#
interface Vlanif70
ip binding vpn-instance oa
ip address 10.178.1.254 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 40 50 60 70 80
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 40 50 60 70 80
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 vpn-instance kaifa 10.158.1.253
ip route-static vpn-instance ceshi 0.0.0.0 0.0.0.0 Vlanif50 10.133.1.253
ip route-static vpn-instance caiwu 0.0.0.0 0.0.0.0 Vlanif60 10.125.1.253
ip route-static vpn-instance oa 0.0.0.0 0.0.0.0 Vlanif70 10.178.1.253
#
user-interface con 0
user-interface vty 0 4
#
return

NAT策略如下

===================================================================

安全策略如下

===================================================================

策略路由配置

===================================================================

IP-LINK的配置

===================================================================

huawei USG防火墙子接口技术的应用案例的更多相关文章

  1. 《嵌入式系统原理与接口技术》——嵌入式系统接口应用基础

    本文为我负责编写的电子工业出版社出版的<嵌入式系统原理与接口技术>一书第七章部分,这里整理的仍然是修改稿,供需要的同学参考,本书为普通高等教育"十二五"规划教材,电子信 ...

  2. Flink实战| Flink+Redis实时防刷接口作弊

    随着人口红利的慢慢削减,互联网产品的厮杀愈加激烈,大家开始看好下沉市场的潜力,拼多多,趣头条等厂商通过拉新奖励,购物优惠等政策率先抢占用户,壮大起来.其他各厂商也紧随其后,纷纷推出自己产品的极速版,如 ...

  3. 如何处理Android中的防缓冲区溢出技术

    [51CTO专稿]本文将具体介绍Android中的防缓冲区溢出技术的来龙去脉. 1.什么是ASLR? ASLR(Address space layout randomization)是一种针对缓冲区溢 ...

  4. APK防反编译技术

    APK防反编译技术 下载地址:地址 我们的APK实际上就是一个ZIP压缩文件,里面包括有一个classes.dex.我们编译后生成的程序代码就所有在那里了, 通过apktool等工具能够轻松地将它们反 ...

  5. VB 共享软件防破解设计技术初探(三)

    ×××××××××××××××××××××××××××××××××××××××××××××× 其他文章快速链接: VB 共享软件防破解设计技术初探(一)http://bbs.pediy.com/sho ...

  6. VB 共享软件防破解设计技术初探(二)

    VB 共享软件防破解设计技术初探(二) ×××××××××××××××××××××××××××××××××××××××××××××× 其他文章快速链接: VB 共享软件防破解设计技术初探(一)http ...

  7. VB 共享软件防破解设计技术初探(一)

    VB 共享软件防破解设计技术初探(一) ×××××××××××××××××××××××××××××××××××××××××××××× 其他文章快速链接: VB 共享软件防破解设计技术初探(二)http ...

  8. ABAP重点各种接口技术

    转自 http://www.cnblogs.com/penley/archive/2008/11/12/1332140.html 下面总结一下ABAP中的各种接口技术,因为学习时间不是很长,肯定还不全 ...

  9. 2017.11.1 微型计算机原理与接口技术-----第七章 中断系统与8237A DMA控制器

    第七章 微型计算机原理与接口技术-----中断系统与8237A DMA控制器 (1)数据传送的两种方式:中断方式和直接存储器存取方式(DMA):中断是微处理器与外部设备交换信息的一种方式:DMA是存储 ...

随机推荐

  1. 3、redis使用场景

    现代高并发复杂系统面临的挑战 现代系统随着功能的复杂化,各种各样需求层出不穷,面对愈加复杂话的业务系统.越来越庞大的用户群体,以及用户对体验的要求越来越高,性能就变得更加重要. 抛开代码逻辑.服务器性 ...

  2. Troubleshooting 10g and 11.1 Clusterware Reboots (文档 ID 265769.1)

    Troubleshooting 10g and 11.1 Clusterware Reboots (文档 ID 265769.1) This document is intended for DBA' ...

  3. Idea项目上传git(与git结合使用)

    Prerequisite(前提): 1.拥有github账号 2.本地电脑安装git 3.拥有一个guthub的新仓库 一.本地git与github安全连接(若已经将本地git与github建立连接, ...

  4. gradle项目

    gradle构建web项目 0.安装gradle http://services.gradle.org/distributions/ 下载对应版本:gradle-5.2.1-bin.zip 解压到自定 ...

  5. SQL server 2008(Linux安装)

    今天应公司的要求,需要在阿里云上安装sql server 在本地使用,由于自己原来没有涉及过这样的安装所以走了很多的弯路.现在将我的安装过程与大家分享,希望能够帮到想要学习这个方面的人.以下是我用Ce ...

  6. DLC 复合逻辑运算

    与非逻辑运算 或非逻辑运算 与或非逻辑运算 异或逻辑运算 同或逻辑运算

  7. 2008R2 部署 aspnetcore repair failed 函数不正确

    vc_redist.x64

  8. Docker笔记——Docker安装及制作镜像

    1 Docker安装本文中Docker运行环境为Ubuntu 14.04.1 LTS 3.13.0-32-generic x64参考:https://docs.docker.com/v1.11/eng ...

  9. 十进制 -> 十六进制

    x /16 依次取余 ,最先余作十六进制的最低 字节有效位,最后的余数  作最高的字节有效位,其中我们需要注意理解 的是  一个 数据的 最高字节及  内存的 高地址及低地址 更进一步的就算机器存储的 ...

  10. matlab-画个拱桥和倒影?

    matlab可用于各行各业的应用中,现在我们就简单画一个拱桥试一试. r=input('请输入半径: '); z=input('请输入弧度: '); figure() %r=4; %画拱洞,用李萨如图 ...